Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Some security researchers have demonstrated three high risk vulnerabilities for exchange server systems. Microsoft has published information about the vulnerability today and even has a patch for the problem already in place.

Even though we, as Boll Engineering AG, are not associated in any way with the affected product, a lot of our customer reported, that they have vulnerable systems in place and may be affected by this bug. We have been asked if IPS signatures and WAF patches are already implemented. Therefore we decided to post this blog to raise the awareness of this vulnerability once more, even after the broad press has already published a lot of releases regarding this matter.

This blog post regards the following CVE reports:

CVE-2021-28480
CVE-2021-28481
CVE-2021-28482
CVE-2021-28483

Protection in place?

We will inform you here, as soon as our vendors have protection for those vulnerabilities in place.

Last update: 15.04.2021 13:40

Fortinet

Protection is available (for FortiClient only at the moment)

https://www.fortiguard.com/encyclopedia/endpoint-vuln/67270

Exchange Hafnium Vulnerability March 2021

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Even though we, as Boll Engineering AG, are not associated in any way with the affected product, a lot of our customer reported, that they have vulnerable systems in place and may be affected by this bug. We have been asked if IPS signatures and WAF patches are already implemented. Therefore we decided to post this blog to raise the awareness of this vulnerability once more, even after the broad press has already published a lot of releases regarding this matter.

This blog post regards the following CVE reports:

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 and CVE-2021-27065

Below you can find the related articles or microsites to the matter from our different vendors we distribute.

Please note, that some of the solutions had a signature in place already, when the broad exploitation of the vulnerability started. Therefore not only the information IF a signature is available, it is also important from WHEN this signature has been applied on your system.

Fortinet

Protection is available

https://fndn.fortinet.net/FortiGuard-Alert-Outbreaks/Hafnium-full/

FortiSIEM is even able to detect activities related to this vulnerability.

Palo Alto

Protection is available

https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/

Kaspersky

Protection is available

https://www.kaspersky.com/blog/exchange-vulnerabilities/38964/

WatchGuard

Protection is available

https://techsearch.watchguard.com/KB?SFDCID=kA10H000000Xe1SSAS
https://www.secplicity.org/2021/03/08/chinese-state-actors-exploit-0-day-vulnerabilities-targeting-on-premise-exchange-server

Palo Alto Firewall Feature: Block Tor Exit nodes with an External Dynamic List (EDL)

With the possibility to include external lists from third parties via the feature «External Dynamic List EDL», this opens up many possibilities to restrict your own security policies even better and to prevent access to the TOR network.

In the following tutorial I will show you how to configure the list of TOR exit nodes, which can be found at https://check.torproject.org/torbulkexitlist as a list of IP addresses.

1. Create External Dynamic IP List

First, create a new EDL.
Objects > External Dynamic Lists > Add

The list of TOR Exit Nodes and further information can be found here:

Blog Article: https://blog.torproject.org/changes-tor-exit-list-service
Source URL List: https://check.torproject.org/torbulkexitlist

As type you should choose the «IP List» selection. This assumes a list with one IP per line. If you look at the provided IP list, this is the case:

2. Download the CA Certificate from the website as .pem format.

Since the list is provided via HTTPS and therefore signed with a certificate, the Palo Alto Firewall must trust the CA certificate which signed the server certificate. This is solved via the import of the CA certificate into the firewall.

Please use your browser capabilities to display and download the CA certificate.

3. Add the CA certificate to firewall’s the certificate list

After you have downloaded the CA certificate, you can upload it to the firewall’s certificate store.

Device > Certificate Management > Certificates > Add

4. Create a certificate profile and add the Tor_CA certificate

Now that the certificate has been uploaded to the firewall’s certificate store, it can be used in a certificate profile.

5. Add certificate profile in EDL list

Now the certificate profile with the CA certificate can be used in the configuration of the EDL list.

Also note the update frequency of the list, if the list contains new values. The new entries are added automatically with the update, and a Commit is not necessary.

6. Add EDL in Security Policy

Now everything is prepared and the EDL list can be inserted in the security policy as source or destination address object.

It makes sense to use a security policy with the action Block at the beginning of your security policies.

Policies > Security > Add

7. Commit changes

Save the changes so that they become active.

8. Verify if EDL list contains entries

After the initial synchronization of the list, you can check its content as follows.

Objects > External Dynamic Lists > Edit Tor Exit nodes > List Entries and Exceptions
Check if list contains entries:

Update: Boll USB RJ45 Serial Konsolen Kabel. Auch als USB-C Variante verfügbar!

Unser Boll Serial Konsolen Kabel gibt es ab sofort auch als USB-C Variante. Administratoren mit modernen USB-C Notebooks benötigen somit keinen Adapter mehr. Einfach direkt einstecken. Den Artikel finden sie in unserem Partner Shop in der Kategorie Boll Accessoires. Oder einfach in der  Suchmaske mit dem Artikelnamen ‹UCON90C› eingeben. Für weitere Infos siehe Original Betrag weiter unten

«Update: Boll USB RJ45 Serial Konsolen Kabel. Auch als USB-C Variante verfügbar!» weiterlesen

OpenSSL Heartbleed Bug Informationen

Hier finden Sie Informationen zu der OpenSSL Schwachstelle und Herstellerinformationen.

«Offizielle» Webseiten
http://heartbleed.com/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Testseiten
http://filippo.io/Heartbleed/
https://www.ssllabs.com

Betroffene OpenSSL Versionen
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

«OpenSSL Heartbleed Bug Informationen» weiterlesen

Two new «big ladies»

Und schon wieder gibt es Zuwachs in unserem Eval-Stock. Neben der FG-3140B gesellen sich nun auch zwei grosse PaloAlto Network PA-5050 für Evaluationszwecke mit Gigabit-Anforderungen.  Die Geräte sind speziell entwickelt worden, um Netzwerke von Data Center, Large Enterprises oder Service Provider abzusichern, ohne dabei Einbussen im Datendurchsatz in Kauf nehmen zu müssen.

Die Next Generation Firewalls von Palo Alto Networks sind darauf spezialisiert neben den klassischen Firewall-Funktionen auch Applikationen und User zu erkennen. D.h. Firewall-Regeln werden nicht nur auf Basis von IP-Adressen und Ports sondern explizit auf Basis von Usern und Applikationen vorgenommen. Darüber hinaus bietet das GUI der Firewall eine exzellente Möglichkeit, das aktuelle Applikations-Geschehen auf dem Netzwerk darzustellen und die daraus resultierende Bedrohungslage zu errechnen.

«Two new «big ladies»» weiterlesen